[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group values not returned with "id" command



On Thu, Sep 5, 2013 at 1:36 PM, Howard Chu <hyc@symas.com> wrote:
Justin Edmands wrote:
Hey,
Certainly new to migrations of LDAP. I migrated our old setup from OpenLDAP to
389 Directory Server. When using the "id" command on an LDAP client, it only
returns uid,gid, and one group. It for some reason does not show all of the
actual groups that the user is associated with. What is set to return these
values and what setting ensures they are properly mapped from OpenLDAP to 389DS?

### OpenLDAP example: ###

[root openldapclient ~]# id jedmands
uid=9999(jedmands) gid=100(users)
groups=100(users),5000(manager),5001(linuxadmin),5002(storageadmin),5003(dbadmin),5004(webadmin),5006(it)

### 389 DS Example: ###

[root 389dsclient ~]# id jedmands
uid=9999(jedmands) gid=100(users) groups=100(users)

Notes:
Posted this to the 389-users list, nothing received.
We are using the memberOf plugin for 389DS.
I don't know too much about the openldap environment. I moved to CentOS 6 and
figured DS was the way to go with SSL/TLS

I'm pretty sure you figured wrong. OpenLDAP actually works, implements the LDAP RFCs correctly, and outperforms all other LDAP servers. Compared to 389DS, OpenLDAP bulk-loads data 2x faster, uses 10% less space on disk, answers search queries 4x faster, and uses 50% less RAM to do it. (Also answers Binds 6x faster, and performs updates 11x faster.) 389DS is a hulking pile of obsolete code; the only reason it still exists today is because RedHat has support contracts for RedHatDS from customers too ignorant to realize how bad the product they've paid for actually is.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Thank god you got that off of your chest. the solution is:

/etc/sssd/sssd.conf
     [domain/default]
     ..
     ldap_group_member = memberUid
     ldap_group_search_base = ou=Group,dc=mysite,dc=com
     ..

after flushing cache, the clients see the proper groups.

https://bugzilla.redhat.com/show_bug.cgi?id=599713